IN THE CLAIMS 

This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1. (Currently Amended) A method for providing computer security, comprising: 

providing an executable associated with a static state; 

determining whether the executable meets a predetermined criterion; 

associating a first risk level with the executable, if it is determined that the 
executable meets the predetermined criterion; 

allowing the executable to execute if the first risk level does not exceed a 
threat detection threshold; 

updating the first risk level to a second risk level that is higher than the 
first risk level if a process associat e d with started by the executable after the executable 
has been allowed to execute is observed to perform or attempt an action with which the 
second risk level is associated; and 

performing a predetermined responsive action with respect to one or both 
of the process and the executable if the second risk level exceeds the threat detection 
threshold; 

wherein determining whether the executable meets the predetermined 
criterion does not compare the executable with a virus signature. 

2. (Previously Presented) The method for providing computer security as recited in Claim 1, 

wherein the risk level indicates a level of potential risk that will be brought by operating the 
executable. 

3. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the risk level indicates how much risk the executable presents. 

4. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion includes a configuration criterion. 
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5. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable is configured as 
a service. 

6. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable is configured to 
run under a highly privileged account. 

7. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable is installed via a 
standard procedure. 

8. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has sufficient 
access control. 

9. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable is modified. 

10. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable is signed. 

11. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has a modified 
date different from created date. 

12. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion includes a capability criterion. 

13. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has networking 
capability. 
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14. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has privilege 
manipulation capability. 

15. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has remote 
process capability. 

16. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has process 
launching capability. 

17. (Previously Presented) The method for providing computer security as recited in Claim 1, 
wherein the predetermined criterion is used to determine whether the executable has secure 
coding violation. 

18. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising associating with the executable a risk type indicating a type of risk to which 
the executable is vulnerable. 



19. 


(Canceled) 


20. 


(Canceled) 


21. 


(Canceled) 


22. 


(Canceled) 


23. 


(Canceled) 


24. 


(Canceled) 


25. 


(Canceled) 


26. 


(Canceled) 


27. 


(Canceled) 
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28. (Canceled) 

29. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising analyzing historical evidence. 

30. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising analyzing historical evidence, wherein the historical evidence includes a 
record of activities. 

31. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising analyzing historical evidence, wherein the historical evidence includes a log 
file. 

32. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising analyzing historical evidence, wherein the historical evidence includes a 
system optimization file. 

33. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising analyzing historical evidence, wherein the historical evidence includes a 
crash dump file. 

34. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising analyzing historical evidence, wherein the historical evidence includes a 
prefetch file. 

35. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising performing a dynamic risk analysis. 

36. (Previously Presented) The method for providing computer security as recited in Claim 1, 
further comprising determining whether an action is required. 

37. (Currently Amended) A system for providing computer security, comprising: 

a processor configured to: 



Application Serial No. 10/782,396 
Attorney Docket No. SYMAP043 



5 



provide an executable associated with a static state; 

determine whether the executable meets a predetermined criterion; 

associate a risk level with the criterion, if it is determined that the 
executable meets the predetermined criterion; 

allow[[ing]] the executable to execute if the first risk level does not 
exceed a threat detection threshold; 

update[[ing]]e the first risk level to a second risk level that is 
higher than the first risk level if a process associat e d with started by the 
executable after the executable has been allowed to execute is observed to 
perform or attempt an action with which the second risk level is associated; and 

perform[[ing]] a predetermined responsive action with respect to 
one or both of the process and the executable if the second risk level exceeds the 
threat detection threshold; 

wherein determining whether the executable meets a 
predetermined criterion does not compare the executable with a virus signature; 
and 

a memory coupled with the processor, configured to provide the processor 

with instructions. 

38. (Currently Amended) A computer program product for providing computer security , the 
computer program product being embodied in a computer readable medium and comprising 
computer instructions for: 

providing an executable associated with a static state; 

determining whether the executable meets a predetermined criterion; 

associating a risk level with the criterion, if it is determined that the 
executable meets the predetermined criterion; 

allowing the executable to execute if the first risk level does not exceed a 
threat detection threshold; 

updating the first risk level to a second risk level that is higher than the 
first risk level if a process associat e d with started by the executable after the executable 
has been allowed to execute is observed to perform or attempt an action with which the 
second risk level is associated; and 
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performing a predetermined responsive action with respect to one or both 
of the process and the executable if the second risk level exceeds the threat detection 
threshold; 

wherein determining whether the executable meets a predetermined 
criterion does not compare the executable with a virus signature. 
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